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~ The MAILING DATE of this communication appears on the cover sheet with the correspondence address- 

All claims being allowable, PROSECUTION ON THE MERITS IS (OR REMAINS) CLOSED in this application. If not included 
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NOTICE OF ALLOWABILITY IS NOT A GRANT OF PATENT RIGHTS. This application is subject to withdrawal from issue at the initiative 
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EXAMINER'S AMENDMENT 

1. An examiner's amendment to the record appears below. Should the 
changes and/or additions be unacceptable to applicant, an amendment may 
be filed as provided by 37 CFR 1.312. To ensure consideration of such an 
amendment, it MUST be submitted no later than the payment of the issue 
fee. 

Authorization for this examiner's amendment was given in a telephone 
interview with Michael P. Dunnam on 05/22/08. 

The claims have been amended as follows: 
1. A method for dynamically managing access to a resource in a 
computer system, the system having a client thereof hav i ng an app li cat i on 
mak i ng an access request for the resource requesting access to the resource 
from an application , the method comprising: 

initializing a client authorization context for the client using one or 
more client context initialization routines; 

determining, via an application programming interface, based upon 
dynamic data possessed by the application and a first dynamic policy 
whether said client authorization context is to be updated and, if so, 
updating said client authorization context, wherein said first dynamic policy 
is tailored to said application through which the resource is accessed : 
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invoking an access check routine to determine if the app li cat i on or 
client represented by the client authorization context is allowed access to the 
resource, the application providing said dynamic data and an identifier fef= 
the access check in the client authorization context to the access check 
routine for comparison against access control entries; 

identifying an access control entry as a callback access control entry; 

and 

in response to identifying the access control entry as a callback access 
control entry and a match between said identifier and an identifier in the 
callback access control entry, automatically invoking, via said application 
programming interface, an application-defined dynamic access check routine 
that performs the access check for the app li cat i on client based upon said 
dynamic data and a second dynamic policy in the callback access control 
entry for the application, wherein said second dynamic policy is tailored to 
said application and said dynamic data includes author i zat i on po li cy data 
stored i n sa i d ca ll back access contro l entry and/or run-time data managed 
by the application. 



10. (canceled) 
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12. A computer readable storage medium having computer executable 
instructions stored thereon that when executed by a computer cause the 
computer to carry out a method for dynamically updating a client 
authorization context in a computer system having a client thereof hav i ng an 
app li cat i on mak i ng an access request for a resource requesting access to a 
resource from an application , the method comprising: 

computing a client authorization context after the request for the 
resource is received from the client; 

determining, via an application programming interface, based upon 
dynamic data possessed by the application and a first_dynamic policy 
whether said client authorization context is to be updated and, if so, 
updating said client authorization context, wherein said first dynamic policy 
is tailored to said application through which the resource is accessed : 

invoking an access check routine to determine if the app li cat i on or 
client represented by the client authorization context is allowed access to the 
resource, the application providing said dynamic data and an identifier fef= 
the access check in the client authorization context to the access check 
routine for comparison against access control entries; 

identifying an access control entry as a callback access control entry; 

and 
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in response to identifying the access control entry as a callback access 
control entry and a match between said identifier and an identifier in the 
callback access control entry, automatically invoking, via said application 
programming interface, an application-defined dynamic access check routine 
that performs the access check for the app li cat i on client based upon said 
dynamic data and a second dynamic policy in the callback access control 
entry for the application, wherein said second dynamic policy is tailored to 
said application and said dynamic data includes author i zat i on po li cy data 
stored i n sa i d ca ll back access contro l entry and/or run-time data managed 
by the application. 

20. A computer readable storage medium according to claim 12, the 
method further comprising comparing data to a client authorization context 
determined based upon static data and policy before said step of 
determining based upon dynamic data whether the client authorization 
context is to be updated. 

22. A computer readable storage medium having computer executable 
instructions stored thereon that when executed by a computer cause the 
computer to perform a method of dynamically managing access to a 
resource in a computer system, the system having a client thereof hav i ng an 
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app li cat i on mak i ng an access request for the resource requesting access to 
the resource from an application , the method comprising: 

computing a client authorization context after the access request for 
the resource is received from the client; 

determining, via an application programming interface, based upon 
dynamic data possessed by the application and a first dynamic policy 
whether said client authorization context is to be updated and, if so, 
updating said client authorization context, wherein said first dynamic policy 
is tailored to said application through which the resource is accessed : 

providing said dynamic data and the client authorization context to an 
access check routine: 

comparing the client authorization context to at least one access 
control entry of an access control list to determine if the app li cat i on or client 
represented by the client authorization context is allowed access to the 
resource; 

the app li cat i on prov i d i ng dynam i c data to an access check rout i ne for 
compar i son aga i nst access contro l entr i es for identifying an access control 
entry having an identifier that matches an identifier in the client 
authorization context as a callback access control entry; and 

in response to identifying the access control entry as a callback access 
control entry, automatically invoking, via said application programming 
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interface, an application-defined dynamic access check routine that performs 
the access check for the app li cat i on client based upon said dynamic data and 
a second dynamic policy in the callback access control entry for the 
application, wherein said second dynamic policy is tailored to said application 
and said dynamic data includes author i zat i on po li cy data stored i n sa i d 
ca ll back access contro l entry and/or run-time data managed by the 
application. 

26. For an application in a computer system having a resource manager 
that manages and controls access to a resource and a client thereof 
requesting access to a resource from an application , a computer readable 
storage medium having computer executable instructions stored thereon 
that when executed by the computer system causes the computer system to 
carry out a method for dynam i ca ll y updat i ng a c li ent author i zat i on context i n 
the computer system, the computer system hav i ng a c li ent thereof hav i ng 
an app li cat i on mak i ng an access request for a resource carrying out a 
dynamic authorization callback mechanism that provides extensible support 
for application-defined business rules via a set of APIs and DACLs including a 
dynamic groups routine and a dynamic access routine customized to the 
application , the method comprising: 

initializing a client authorization context for the client; 
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carrying out said dynamic groups routine to update for updat i ng said 
client authorization context based upon dynamic data possessed by the 
application and a first dynamic policy tailored to said application through 
which the resource is accessed ; and 

carrying out a dynam i c author i zat i on ca ll back mechan i sm said dynamic 
access routine to determine if the app li cat i on or client represented by the 
updated client authorization context is allowed access to the resource, the 
dynam i c author i zat i on ca ll back mechan i sm prov i d i ng extens i b l e support for 
app li cat i on def i ned bus i ness ru l es v i a a set of APIs and DACLs i nc l ud i ng a 
dynam i c groups c l ement, and sa i d dynam i c groups c l ement enab li ng sa i d 
app li cat i on to ass i gn temporary group membersh i p, based on dynam i c 
factors, to sa i d c li ent for the purpose of check i ng access r i ghts, where i n sa i d 
dynam i c groups c l ement and a dynam i c access c l ement ut ili ze dynam i c data 
that i nc l udes author i zat i on po li cy data and/or run t i me data managed by the 
app li cat i on said dynamic access routine using said dynamic data and a 
second dynamic policy in a callback access control entry when an identifier in 
the client authorization context matches an identifier in the callback access 
control entry, wherein said dynamic data includes run-time data managed by 
the application . 



27. (canceled) 
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28. A computer readable storage medium according to claim 26, further 
comprising registering said dynamic groups c l ement routine and said 
dynamic access c l ement routine with the resource manager upon initializing 
the resource manager and storing said author i zat i on po li cy data second 
dynamic policy in [[a]] said callback access control entry. 

33. A computer readable storage medium having computer executable 
instructions stored thereon that when executed by a computer causes the 
computer to provide dynamic authorization of an application in a computer 
system based upon application-specific or business rules that incorporate 
dynamic data, the dynamic data including an identifier for identifying 
whether a dynamic access check callback function should be invoked for 
conducting said dynamic authorization of said application, data from client 
operation parameters, authorization policy data stored in a callback access 
control entry, and any other authorization policy data managed, computed 
or retrieved by the application, the computer executing said computer 
executable instructions to perform the steps of: 

the application using an initialization routine to register with a 
resource manager dynamic group functions that enable the application to 
assign temporary group membership based upon trans i ent or chang i ng 
factors said dynamic data to a client for the purpose of checking access 
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rights to a resource protected bv the resource manager and to register with 
said resource manager dynamic access check callback functions that enable 
the application to perform customized procedures for checking access rights 
to said resource based on said trans i ent or chang i ng factors dynamic data ; 

adding said dynamic access check callback functions to the resource 
manager's registered callback list; af*4 

when a user attempts to connect to the application to request the 
resource , automatically invoking a registered dynamic group function to 
augment said client authorization context with client contextual data 
computed using said dynamic data; and 

invoking a registered dynamic access check callback function to 
provide said customized procedures for checking access rights to the 
resource based on said trans i ent or chang i ng factors dynamic data and said 
augmented client authorization context . 

The following is an examiner's statement of reasons for allowance. 
The present invention is directed to a method for authorizing a client's 
request for accessing a resource using dynamic data, wherein the dynamic 
data is used to update a client authorization context first and then the 
updated client authorization context is used to determine whether the 
request is authorized. 
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Independent claim 1 identifies the uniquely distinct features: 
identifying an access control entry as a callback access control entry; and in 
response to identifying the access control entry as a callback access control 
entry and a match between said identifier and an identifier in the callback 
access control entry, automatically invoking, via said application 
programming interface, an application-defined dynamic access check routine 
that performs the access check for the client based upon said dynamic data 
and a second dynamic policy in the callback access control entry for the 
application, wherein said second dynamic policy is tailored to said application 
and said dynamic data includes run-time data managed by the application. 
The closest prior art, Swift (6,308,274), also disclose a method for 
controlling access to a resource using dynamic data. However, Swift's 
dynamic data is used only for updating a client authorization context, i.e., 
generating a restricted token having one or more restricted security IDs, and 
then the restricted security ID(s) is used to determine whether the request 
for accessing the resource is authorized. Swift does not disclose that the 
dynamic data is also used by an application-defined dynamic access check 
routine that performs the access check. Independent claims 12, 22 and 26 
recite similar features and are allowed for the same reasons. 

Independent claim 33 identifies the uniquely distinct features: the 
application using an initialization routine to register with a resource manager 
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dynamic group functions that enable the application to assign temporary 
group membership based upon said dynamic data to a client for the purpose 
of checking access rights to a resource protected by the resource manager 
and to register with said resource manager dynamic access check callback 
functions that enable the application to perform customized procedures for 
checking access rights to said resource based on said dynamic data. Swift 
discloses using (i) dynamic groups functions to assign temporary group 
membership based on dynamic data and (ii) dynamic access check 
functions; however, Swift does not disclose an application using an 
initialization routine to register these functions with a resource manager. 
Another prior art, "Securing and Managing Web Resources with IBM 
SecureWay Policy Director - White Paper", also discloses using dynamic data 
and callback ACEs for controlling access to resources (page 12, 2 nd 
paragraph); however, it does not disclose an application using an 
initialization routine to register functions for assigning temporary group 
membership and performing dynamic access check with a resource 
manager. 

The prior art, taken either singly or in combination, fails to anticipate 
or fairly suggest the limitations of applicant's independent claim, in such a 
manner that a rejection under 35 U.S.C 102 or 103 would be proper. The 
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claimed invention is therefore considered to be in condition for allowance as 
being novel and nonobvious over prior art. 

Any comments considered necessary by applicant must be submitted 
no later than the payment of the issue fee and, to avoid processing delays, 
should preferably accompany the issue fee. Such submissions should be 
clearly labeled "Comments on Statement of Reasons for Allowance." 

Any inquiry concerning this communication or earlier communications 
from the examiner should be directed to MINH DINH whose telephone 
number is (571)272-3802. The examiner can normally be reached on Mon- 
Fri: 10:00am-6:30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Gilberto Barron can be reached on 571-272-3799. 
The fax phone number for the organization where this application or 
proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained 
from the Patent Application Information Retrieval (PAIR) system. Status 
information for published applications may be obtained from either Private 
PAIR or Public PAIR. Status information for unpublished applications is 
available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on 
access to the Private PAIR system, contact the Electronic Business Center 
(EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272- 
1000. 
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